Merged WWW-Authenticate response headers

[GoogleCodeExporter]

See 
http://groups.google.com/group/modwsgi/browse_thread/thread/1b5e6f8a3484dbc8 
for initial discussion of this issue.

Apache/modwsgi merges multiple WWW-Authenticate headers into one. While this is 
HTTP-conform, browsers (tested with Firefox and Chromium) do not handle this 
properly.

Include two WWW-Authenticate headers in a response (e.g. Negotiate and Basic, 
see attached test_authenticate.wsgi) and run the wsgi application with modwsgi 
in daemon mode. Access the corresponding URL with firefox or chromium, or `curl 
--include` to display response headers.

Expected:
 - The browser continues the authentication process, e.g. with a prompt or another request.
 - curl shows the response containing two WWW-Authenticate headers.

What happens: Both browsers just stop. The WWW-Authenticate headers are merged 
as specified by HTTP.

Original issue reported on code.google.com by mark.nev...@gmail.com on 28 Oct 2011 at 11:08

Attachments:

• test_authenticate.wsgi

[GoogleCodeExporter]

Hello, I would like to vote for this as well. By coincidence, I am currently 
working on a Django app that will send two WWW-Authenticate headers (HTTP basic 
and HTTP digest) to allow the client to choose the method it supports. This has 
worked fine with other WSGI servers, but have not tested yet with mod_wsgi. Of 
course, I do use mod_wsgi, so I will require this feature as well.

I tested using a combined header and found many clients were not up to spec and 
expected separate WWW-Authenticate headers.

Original comment by btimby@gmail.com on 28 Oct 2011 at 2:02

[GoogleCodeExporter]

The repository trunk for mod_wsgi 4.0 has been changed to split up the combined 
WWW-Authenticate returned by daemon process back into separate headers.

Original comment by Graham.Dumpleton@gmail.com on 24 Nov 2011 at 10:18

• Changed state: Accepted
• Added labels: Milestone-Release4.0

[GoogleCodeExporter]

Original comment by Graham.Dumpleton@gmail.com on 19 Mar 2012 at 10:23

• Changed state: Started

[GoogleCodeExporter]

cURL (7.21 and 7.27) and Chrome both fail with multiple WWW-Authenticate 
headers. I used python urllib2, which worked fine. I am using Django app, who 
http server also sent merged WWW-Authenticate headers. cURL worked for with 
Django http server but fails with Apache2/mod_wsgi because of multiple 
WWW-Authenticate headers.

Original comment by rishikul...@gmail.com on 16 Jan 2013 at 11:46

[GoogleCodeExporter]

Fail scenario:
< HTTP/1.1 401 UNAUTHORIZED
< Date: Wed, 16 Jan 2013 09:06:59 GMT
< Server: Apache/2.2.22 (Ubuntu)
< WWW-Authenticate: Digest 
nonce="1358327219.4:DF88:c76a6bc2f76901c1c66ba6cf602b72ce"
< WWW-Authenticate: realm="django-tastypie"
< WWW-Authenticate: algorithm="MD5"
< WWW-Authenticate: opaque="7b2c09d74a75652b109436e2afa361684f5998c4"
< WWW-Authenticate: qop="auth"
< WWW-Authenticate: stale="false"
< Vary: Accept-Encoding
< Content-Length: 0
< Content-Type: text/html; charset=utf-8

Success Scenario:
< HTTP/1.0 401 UNAUTHORIZED
< Date: Wed, 16 Jan 2013 10:39:24 GMT
< Server: WSGIServer/0.1 Python/2.7.3
< Content-Type: text/html; charset=utf-8
< WWW-Authenticate: Digest 
nonce="1358332764.43:CA20:a28d8a3ecb5ced0149ca32c851b7a773", 
realm="django-tastypie", algorithm="MD5", 
opaque="c1eb329e445ff3756bff7e53594117829ad95537", qop="auth", stale="false"
< 

Original comment by rishikul...@gmail.com on 16 Jan 2013 at 11:51

[GoogleCodeExporter]

The fix was back ported to mod_wsgi 3.4 already. Presumably you are on an older 
version. Upgrade your mod_wsgi to 3.4.

Original comment by Graham.Dumpleton@gmail.com on 16 Jan 2013 at 9:43

• Changed state: Fixed
• Added labels: Milestone-Release3.4
• Removed labels: Milestone-Release4.0

[GoogleCodeExporter]

I am using mod_wsgi 3.4. The problem I am reporting is that the 3.4 is not 
merging WWW-Authenticate headers which is expected by cURL or Chrome. What are 
you suggestions for working around this issue?

Original comment by rishikul...@gmail.com on 17 Jan 2013 at 6:40

[GoogleCodeExporter]

Go back to use mod_wsgi 3.3. Didn't read the data you dumped up properly.

The problem you are having is caused by this change, not that you are missing 
it.

The simplistic approach the change took of just splitting on commas actually 
turns out to be wrong and will break Digest authentication header. The parsing 
to work out where to split is actually going to be rather complicated, so may 
have to reengineer code to duplicate some stuff Apache does to avoid it doing 
the merge it does in the first place.

No solution right now except to use older mod_wsgi version.

Original comment by Graham.Dumpleton@gmail.com on 18 Jan 2013 at 2:57

• Changed state: Accepted
• Added labels: Milestone-Release4.0
• Removed labels: Milestone-Release3.4

[GoogleCodeExporter]

This is fixed properly for 4.1.0, with original headers being passed back as 
originally set by the WSGI application, avoiding any merging Apache does.

Original comment by Graham.Dumpleton@gmail.com on 23 May 2014 at 2:42

• Removed labels: Milestone-Release4.0

[GoogleCodeExporter]

Closing as fixed in subsequent releases.

Original comment by Graham.Dumpleton@gmail.com on 16 Sep 2014 at 7:41

• Changed state: Fixed